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Dedukti has been proposed as a universal proof checker. It is a logical framework based on the /Hf- 
calculus modulo that is used as a backend to verify proofs coming from theorem provers, especially 
those implementing some form of rewriting. We present a shallow embedding into Dedukti of proofs 
produced by Zenon Modulo, an extension of the tableau-based first-order theorem prover Zenon 
to deduction modulo and typing. Zenon Modulo is applied to the verification of programs in both 
academic and industrial projects. The purpose of our embedding is to increase the confidence in 
automatically generated proofs by separating untrusted proof search from trusted proof verification. 


1 Introduction 

Program verification using deductive methods has become a valued technique among formal methods, 
with practical applications in industry. It guarantees a high level of confidence regarding the correctness 
of the developed software with respect to its specification. This certification process is generally based 
on the verification of a set of proof obligations, generated by deductive verification tools. Unfortunately, 
the number of proof obligations generated may be very high. To address this issue, deductive verification 
tools often rely on automated deduction tools such as first-order Automated Theorem Provers (ATP) or 
Satisfiability Modulo Theories solvers (SMT) to automatically discharge a large number of those proof 
obligations. For instance. Boogie is distributed with the SMT Z3 ||4l and the Why3 platform with Alt- 
Ergo (161. After decades of constant work, ATP and SMT have reached a high level of efficiency and 
now discharge more proof obligations than ever. At the end, many of these program verification tools 
use their corresponding ATP or SMT as oracles. The main concern here is the level of confidence users 
give to them. These programs are generally large software, consisting of dozens of thousands of lines of 
code, and using some elaborate heuristics, with some ad hoc proof traces at best, and with a simple “yes 
or no” binary answer at worst. 

A solution, stated by Barendregt and Barendsen (Si and pursued by Miller ifT^ among others, relies 
on the concept of proof certificates. ATP and SMT should be seen as proof-certificate generators. The 
final “yes or no” answer is therefore left to an external proof checker. In addition, Barendregt and 
Barendsen proposed that proof checkers should satisfy two principles called the De Bruijn criterion and 
the Poincare principle. The former states that proof checkers have to be built on a light and auditable 
kernel. The latter recommends that they distinguish reasoning and computing and that it should not be 
necessary to record pure computational steps. 

Relying on an external proof checker to verify proofs strongly increases the trust we give them, but it 
also provides a common framework to express proofs. A profit made by using this common framework is 
the possibility to share proofs coming from different theorem provers, relying on different proof systems. 
But nothing comes for free, and using the same proof checker does not guarantee in general that we can 
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share proofs because formula and proofs can be ttanslated in incompatible ways. Translation of proofs 
must rely on a shallow embedding in the sense proposed by Burel lITOl : it reuses the features of the target 
language. It does not inttoduce new axioms and constants for logical symbols and inference rules. Con¬ 
nectives and binders of the underlying logic of ATP are translated to their corresponding connectives and 
binders in the target language. In addition, a shallow embedding preserves the computational behavior 
of the original ATP and the underlying type system of the logic. 

In this paper, we present a shallow embedding of Zenon Modulo proofs into the proof checker De¬ 
dukti, consisting of an encoding of a typed classical sequent calculus modulo into the /ITI-calculus mod¬ 
ulo (/in= for short). Zenon Modulo |[T3l is an extension to deduction modulo ifTSl of the first-order 
tableau-based ATP Zenon 10. It has also been extended to support ML polymorphism by implementing 
the TFFl format 0]. Dedukti ||71 is a proof checker that implements /in=, a proof language that has been 
proposed as a proof standard for proof checking and interoperability. This embedding is used to certify 
proofs in two different projects: FoCaLiZe ifTTl . a programming environment to develop certified pro¬ 
grams and based on a functional programming language with object-oriented features, and BWare ifldl . 
an industrial research project that aims at providing a framework for the automated verification of proof 
obligations coming from the B method d. The main benefit of Zenon Modulo and Dedukti relies on 
deduction modulo. Deduction modulo is an extension of first-order logic that allows reasoning modulo 
a congruence relation over propositions. It is well suited for automated theorem proving when dealing 
with theories since it turns axioms into rewrite rules. Using rewrite rules during proof search instead of 
reasoning on axioms lets provers focus on the challenging part of proofs, speeds up the tool and reduces 
the size of final proof trees ifT^ . 

Zenon was designed to support FoCaLiZe as its dedicated deductive tool and to generate proof cer¬ 
tificates for Coq. Extension to deduction modulo constrains us to use a proof checker that can easily 
reason modulo rewriting. Dedukti is a good candidate to meet this specification. A previous embedding 
of Zenon Modulo proofs into Dedukti, based on a -i-i translation |[T3l . was implemented as a tool to 
translate classical proofs into constructive ones. This tool has the benefit to be shallower since it does 
not need add the excluded middle as an axiom into the target logic defined in Dedukti, but in return 
this transformation may be very time-consuming iTTZl and was not scalable to large proofs like those 
produced in BWare. The closest related work is the shallow embedding of resolution and superposition 
proofs into Dedukti proposed by Burel lITOl and implemented in iProver Modulo [Qj. Our embedding is 
close enough to easily share proofs of Zenon Modulo and iProver Modulo in Dedukti, at least for the 
subset of untyped formula. 

The first contribution presented in this paper consists in the encoding into /in= of typed deduction 
modulo and a set of translation functions into /in= of theories expressed in this logic. Another con¬ 
tribution of this paper is the extension to deduction modulo and types of the sequent-like proof system 
LLproof which is the output format of Zenon Modulo proofs. The latter contribution is the embedding of 
this proof system into /in= and the associated translation function for proofs coming from this system. 

This paper is organized as follows: in Sec. |2j we introduce typed deduction modulo; in Sec. [3l we 
present /in=, its proof checker Dedukti, and a canonical encoding of typed deduction modulo in /in=; 
Sec. m introduces the ATP Zenon Modulo, the proof system LLproof used by Zenon Modulo to output 
proofs; and the translation scheme implemented as the new output of Zenon Modulo; finally, in Sec. |5l 
we present some examples and results to assess our implementation. 
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2 Typed Deduction Modulo 

The Poincare principle, as stated by Barendregt and Barendsen Q, makes a distinction between de¬ 
duction and computation. Deduction may be defined using a set of inference rules and axioms, while 
computation consists mainly in simplification and unfolding of definitions. When dealing with axiomatic 
theories, keeping all axioms on the deduction side leads to inefficient proof search since the proof-search 
space grows with the theory. For instance, proving the following statement: 

fst(a,a) = snd(a,a) 

where a is a constant, and fst and snd are defined by: 

Vx,y. fst(x,y) = x Vx,y. snd(x,y) = y 

and with the reflexivity axiom: 


Vx. x = X 

using a usual automated theorem proving method such as tableau, will generate some useless boilerplate 
proof steps, whereas a simple unfolding of definitions of fst and snd directly leads to the formula a = a. 

Deduction modulo was introduced by Dowek, Hardin and Kirchner lITSl as a logical formalism to 
deal with axiomatic theories in automated theorem proving. The proposed solution is to remove compu¬ 
tational arguments from proofs by reasoning modulo a decidable congruence relation = on propositions. 
Such a congruence may be generated by a confluent and terminating system of rewrite rules (sometimes 
extended by equational axioms). 

In our example, the two definitions may be replaced by the rewrite rules: 

fst(x,y) —>x snd(x,y)— 

And we obtain the following equivalence between propositions: 

(fst(a,a) = snd(a,fl:)) = (a = a) 

Reasoning with several theories at the same time is often necessary in practice. For instance, in the 
BWare project, almost all proof obligations combine the theory of booleans, arithmetic and set theory. In 
this case, we have to introduce an expressive enough type system to ensure that an axiom about booleans, 
for instance Vx. x = true Vx = false, will not be used with a term that has another type. An input format 
for ATP called TFFl fS ] has been proposed recently by Blanchette and Paskevich to deal with first-order 
problems with polymorphic types. We propose to extend this format to deduction modulo. 

We now introduce the notion of typed rewrite system, extending notations of Dowek et al. ifTSll . In 
the following, FV(f) stands for the set of free variables of t where t is either a TFFl term or a TFFl 
formula. 

Definition (Typed Rewrite System) 

A term rewrite rule is a pair of TFFl terms I and r together with a TFFl typing context A denoted by 
I —^-A r, where FV(r) C FV(Z) C A. It is well-typed in a theory ^ if I and r can be given the same type A 
in ^ using A to type free variables. A proposition rewrite rule is a pair of TFFl formulre I and r together 
with a typing context A denoted by I —)-a r, where I is an atomic formula and r is an arbitrary formula. 
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Types 

T ::= 

a 

(type variable) 


1 


(type constructor) 

Terms 

e ::= 

3; 

(term variable) 


1 

f{T\,...,Tm',e\,...,en) 

(function) 

Formulae 

ip ::= 

T|T 

(true, false) 


1 

-■9519?! A 9521 V y321 y>i ^ y>21 pi 

(logical connectors) 


1 

e\ =T ei 

(term equality) 


1 

P(Ti,...,Tm;ei,...,e„) 

(predicate) 


1 

Vx : T. ipix) 1 3 x : T. ip(x) 

(term quantifiers) 


1 

Vtypen : type. 90(a) | 3 typea : type. ip{a) 

(type quantifiers) 

Context 

A 

0 

(empty context) 


1 

A,x: T 

(declaration) 

Theory 


0 

(empty theory) 


1 

M,T jm 

(m-ary type constructor declaration 


1 

M,f : ria. T — T 

(function declaration) 


1 

M,P : ria. f ^ 0 

(predicate declaration) 


1 

.^,name: 90 

(axiom) 


1 

M,l —>^r 

(rewrite rule) 


Figure 1: Syntax of TFF1“ 


and where FV(r) C FV(/) C A. It is well-typed in a theory if both I and r are well-formed formula in 
IZ using A to type free variables. 

A typed rewrite system is a set M of proposition rewrite rules along with a set S’ of term rewrite 
rules. Given a rewrite system MS, the relation denotes the congruence generated by MS. It is 
well-formed in a theory M, if all its rewrite rules are well-typed in M. 

The notion of TFFl theory can be extended with rewrite rules; we call the resulting logic TFF1=. Its 
syntax is given in Fig. [T] 


3 Dedukti 

The /lIT-calculus E] is the simplest Pure Type System featuring dependent types. It is commonly used 
as a logical framework for encoding logics ifTSl . The /HT-calculus modulo, presented in Fig. [H is an 
extension of the /HT-calculus with rewriting. The /lIT-calculus modulo (abbreviated as /in=) has suc¬ 
cessfully been used to encode many logical systems (Coq lb], HOL, iProver Modulo ifTOl . FoCaLiZe) 
using shallow embeddings. 

In /in=, conversion goes beyond simple /3-equivalence since it is extended by a custom rewrite sys¬ 
tem. When this rewrite system is both strongly normalizing and confluent, each term gets a unique (up 
to a-conversion) normal form and both conversion and type-checking become decidable. Dedukti is an 
implementation of this decision procedure. 

Burel llTOl defines two encodings of deduction modulo in Dedukti: a deep encoding \(f \ in which 
logical connectives are simply declared as Dedukti constants and a shallow encoding ||^|| := prf \tp\ 
using a decoding function prf for translating connectives to their impredicative encodings. In Sec. 13.11 
and Sec. 13.21 we extend these encodings to TFF1=. 
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Syntax 


s ::= Type | Kind 

t ::= X \ 11 \ Ax : t.t \ Tlx : t.t \ s 
A ;:= 0 |A,x:f 

r ::= 0 I r,x : f I r,f f 


Well-formdness 


0h 

Typing 


—— (Empty) Th rhA:^' x^T 


Eh 


r,x;AE 


■ (Sort) 


(Decl) 


r,Ahl:A 
r,Ahr ;A 


r, A h A ; Type 
FV{r) CFV{1) C A 




■ (Rew) 


rh A::AGr 


r h Type : Kind 

r h fi : rijr: A.B(x) F h f 2 : A 
r h fi f2 : B{ti) 

r h A : Type r,A: : A h B(x): s 
r h rijc: A.B{x ): s 


(Var) 


(App) 

(Prod) 


rhx: A 

r FA; Type Y,x : A\-f. B{x) r,A:: A h B(jic) : s 


r F /tx : A.t{x) : Tlx : A.B{x) 
rFf;A rFZ?:s A =^r B 

efTTb 


(Abs) 


(Conv) 


Figure 2: The /lIT-calculus modulo 


3.1 Deep Embedding of Typed Deduction Modulo in Dedukti 

In Fig.[3l for each symbol of our first-order typed logic, we declare its corresponding symbol into /in=. 
In /in=, types cannot be passed as arguments (no polymorphism) so we have to translate TFFl^ types 
as Dedukti terms. The Dedukti type of translated TFF1= types is type and we can see an inhabitant of 
type as a Dedukti type thanks to the term function. 

In Fig.m we define a direct translation of TFF1= in Dedukti. It is correct in the following sense: 

• if the theory ^ is well-formed in TFF1=, then \ 

• if T is a well-formed TFF1= type in a theory then \^\ F |t| : type. 

• if t is a TFF1= term of type t in a theory then \£A\ F |t| : term |t|. 

• if ^ is a well-formed TFF1= formula in a theory then F \tp\ : Prop. 


3.2 From Deep to Shallow 

Following Burel lITOl . we add rewrite rules defining the decoding function prf in Fig. fusing the usual 
impredicative encoding of connectives. This transforms our deep encoding of TFF1= into a shallow 
encoding in which all connectives are defined by the built-in constructions of /in=. 

This encoding is better suited for sharing proofs with other ATP because it is less sensible to small 
modifications of the logic. Any proof found, for example, by iProver Modulo is directly usable as an 
(untyped) proof in the shallow encoding. 
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Primitive Types 

Prop; Type prf; Prop Type 

type: Type term ; typeType 

Primitive Connectives 

T : Prop 

_L : Prop 

- 1 -: Prop —!• Prop 

- A -; Prop ^ Prop —Prop 

- V -: Prop Prop —^ Prop 

- -; Prop —> Prop —> Prop 

- : Prop —Prop —Prop 

V-- : flo;; type.(term a Prop) —^ Prop 

Vtype- ; (type Prop) Prop 

3-- ; ria ; type.(term a Prop) —Prop 

3 type- ; (type Prop) -5> Prop 

- ; ria : type.term a term a —> Prop 


Figure 3: Dedukti Declarations of TFF1“ Symbols 


Translation Function for Types 

|a|:=a | 7 ’(Ti,...,Tm)| := T |ti| ... |t,„| 

Translation Function for Terms 


\x\ :=x \f{Tu...,Tm-,ei,...,e„)\ :=/ |ti| ... |Tm| |ei| ... |e„| 


Translation Function for Formulae 

|T|:=T 

\ip\yip2\:= |i^i| V|i^2| 

W\ 1^11 \‘f2\ 

\ix : T. ip\ := V |t| {Ax : term |r|. |i^|) 
IVtypeCr: type. ip\ •— ^type (Ta:type. |(^|) 

|P(Ti,...,Tm;ei,...,e„)| : 

Translation Function for Typing Contexts 


|T|:=T 

W\ A9?2|:= Iv^il a |9?2| 

1^1 ^ ^2|:= |i^i| ^ |^2| 
ki =Te 2 \:= kil =|r| k2| 

\3x\t. (p\\=3 |t| (Tjh: : term |t| . |^|) 
|3typea : type. ip\ := 3type (Aa : type . |^|) 

P |ti| ... \Tm\ \ei\ ... \e„\ 


|0| := 0 |A, 2 c : t| := |A| , 2 c: term |t| 


Translation Function for Theories 

| 0 | := Fq where Fq is the Dedukti context of Fig. [ 3 ] 

m times 

\. 9 ',T/m\:= \ ,'Z\,T : type type —type 

1^,/: n(ai,...,a„,). (ti,...,t„) -l►T|:= \df \,f:Ylai : type... .na'„,; type. 

term |ti |...—?> term |t„| |t| 

|^,P; n(ai,...,Q'm)- ->o|:= \^\,P:nai ; type.... na,„ ; type. 

term |ti | ^> ...—?> term |t„| Prop 
|.^,name ; (f\ := ,name ; prf \if\ 


Figure 4: Translation Functions from TFF1“ to 411“ 


4 Zenon Modulo 

Zenon Modulo IIT3l is an extension to deduction modulo |[T5l of the first-order tableau-based automated 
theorem prover Zenon f8|. It has also been improved to deal with typed formulae and TFFl input files. In 
this paper, we focus on the output format of Zenon Modulo. After finding a proof using ifs fableau-based 
proof-search algorifhm f8], Zenon franslafes ifs proof free info a low level formaf called LLproof, which 
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prfT nP ; Prop, prf f*prf f* 

prf_L nP ; Prop, prf P 

prf (^A) prf A —;■ prf ± 

prf (A AP) nP ; Prop, (prf A prf P prf P) prf P 

prf (A VP) nP : Prop, (prf A —prf P) —^ (prfP prf P) prf P 

prf (A => P) prf A —prf P 

prf (A<^P) prf ((A =^P) A(P^A)) 

prf (V T P) n.11: : term t. prf (P x) 

prf (Vtype P) na : type, prf (P a) 

prf (3 T P) nP ; Prop, (n.11: ; term t. prf (P x) prf P) -> prf P 

prf (3type P) nP ; Prop. (Ha : type, prf (P a) -A prf P) -A prf P 

prf {x =Ty) ^ nP ; (term t Prop), prf (P x) ^prf (Py) 


Figure 5: Shallow Definition of Logical Connectives in Dedukti 


is a classical sequent-like proof system. This format is used for Zenon proofs before their automatic 
translation to Coq. LLproof is a one-sided sequent calculus with explicit contractions in every inference 
rule, which is close to an upside-down non-destructive tableau method. 

We present in Figs. 0 and |7] the new proof system LLproof=, an adaptation of Zenon output format 
LLproof lUl to deduction modulo and TFFl typing. 

Normalization and deduction steps may interleave anywhere in the final proof tree. This leads to the 
introduction of the congruence relation inside rules of Figs. [6] and IT) if the formula P is in normal 

form (with respect to 1%^), we denote by [P] any formula congruent to P modulo 

Extension of LLproof to TFFl typing leads to the introduction of four new rules for quantification 
over type variables 3type, “'Vtype, Vtype and -i3type, and also to introduce some type information into 


Closure and Quantifier-free Rules 


r,[T]FT 


r,hT]FT 


nT 




r,[fy^rf]F-L T,[t=ru],[u7^Tt]^-L 

r,Pv2,pi-_L r,pvg,2h_L 
r,[pve] FT ^ 

^,p<^=>2,-.p,-.2l-_L r,p^ Q,p,Qh ± 

r,[p^e]FT 

r,-(pve),-p-ehT 


Sym 


r,h(pve)]hT 


nV 


r,[p],hP]hT 
r,-.-.p,p h L 


Ax 


r,Ph_L r,^Ph_L 

fFT 

r,PA2,p,2h L 


Cut 


4A 


r, [^^P] F _L r, [P A 2] F _L 

r,p^2,^PF± r,p^2,2F_L_^ 

r,[p^2]FT ^ 

r,-(PA2),-PF _L r,^(PA2),-2F_L 

r,h(PAe)]FT 

r,^(p^e),p,^2FT ^ 

r,h(p^e)]FT " 


r,-(P4A2),-p,2FT r,^{p^Q),p,^Qh ± 

r,h(Po2)]FT 


I 4A 


Figure 6: LLproof- Inference Rules of Zenon Modulo (part 1) 



















64 


Checking Zenon Modulo Proofs in Dedukti 


Quantifier Rules 
r,3typeQ': type. P{a),P{T) h _L 
r, [ 3 typea : type. P(a)] h -L 

r,Vtypea;: type. P{a),P(j3) h _L 
r, [Vtypett : type. P(q;)] h _L 

r,3.x : T. P{x),P{c) h _L 
r, [3x : T. P{x)] h _L ^ 

r,Vx:T. P(x),P(f) l-_L 
r, [Vx : T. /"(x)] h J_ 
Special Rules 

A,fi Ml h _L 


^type 


V, 


type 


r,-'Vtypea;; type. P{a),^P{T) h J_ 
r, [-'Vtypecr ; type. P(a)] h J_ 

r,-.3typeQ': type. P{a),^P{J3) h -L 
r, [-■3typeQ': type. P{a)] h _L 

r,-'Vx : T. P{x),^P{c) h J_ 
r, [-iVx : T. R(x)] h J_ 

r, -i3x : T. P{x),-<P{t) h _L 
r, [-i3x : T. P(x)] h J_ 

A- 

■ Pred 


V type 


^type 


iV 


r,[P(Tl,...,T,„;fl,...,f„)],[-'P(Tl,...,Tm;Ml,...,M„)] h _L 
where A = FU {/’(ti,......,T m;Mi,..., m„)} 


A,fi Ml -L 


A, fn M„ h A 


Fun 


where A = rU{/(Ti,...,Tm;fl,...,f«) 7^r/(Tl,...,Tm;Mi,...,M„)} 
A,//ii,...,//i,„hA ... ^,HnX,...Mnqk C 


where t is a 
fresh type constant 

where jS is 
any closed type 

where c : t is a 
fresh constant 

where f: r is 
any closed term 


r, [Ci],...,[Cp]hA 
where A = FU {Ci, .. ■,Cp} 


Ext(name, args, Hnq) 


Figure 7: LLproof- Inference Rules of Zenon Modulo (part 2) 


other rules dealing with equality or quantification. For instance, equality of two closed terms t and u, 
both of type t, is denoted by t =r u. For predicate and function symbols, we first list types, then terms, 
separated by a semi-colon. 

Finally, last difference regarding rules presented in f8] is the removal of rules “definition” and 
“lemma”. Zenon Modulo, unlike Zenon, does not need to explicitly unfold definitions and the lemma 
constructions have been removed. 

4.1 Translation of Zenon Modulo Proofs into/in= 

We present in Fig.[8]a deep embedding of LLproof= into 411=. We declare a constant for each inference 
rule, except for special rules Pred and Fun which have a dependency on the arity n of their underlying 
predicate and function. Fortunately, they can be expressed with the following Subst inference rule which 
corresponds to the substitution in a predicate P of a subterm f: r' by another u : r': 

T,P{f\t),t 7^/ M h A T,P{f\t),P{f\u) F A 
- N I —;-Subst 
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Zenon Modulo Rules 

Rx : prf ± -> prf _L 

R^t ; prf (-T) ^ prf _L 

Raa: : nP : Prop, prf P prf (-iP) ^ prf _L 

Rcut '■ nP : Prop, (prf P ^ prf ±) ^ (prf (-iP) prf _L) -4 prf _L 

R^ ; Ha : type. Ilf; term a. prf (f 0 prf -L 

Rsym ■ ffa ; type. Tlt,u : term a. prf (f =a u) prf (m t) prf _L 

R-,^ ; nP ; Prop, (prf P -> prf _L) -> prf (-'-'P) prf _L 

Ra ; nP, Q : Prop, (prf P prf Q prf ±) prf (P A g) prf ± 

Rv ; nP, Q : Prop, (prf P prf _L) (prf g prf _L) -A prf (P V g) -A prf _L 

Rx- : nP, g ; Prop, (prf (-iP) -> prf _L) (prf g prf _L) prf (P g) -> prf _L 

Ro : nP, g ; Prop, (prf (-iP) prf (-ig) ^ prf _L) ^ (prf P -4 prf g prf _L) -4 prf (P o g) -!> prf ± 

R^a ; nP,g; Prop, prf hf") -4 prf_L) -> (prf (^g) -4 prf _L) -4 prf (^(PAg)) ^ prf _L 

R^v : npg; Prop, (prf (^P) ^ prf (-g) ^ prf _L) ^ prf (^(PVg)) prf _L 

R^X> ; np,g : Prop, (prf P ^ prf (-ig) prf-L) prf (-■(P => g)) ^ prf ± 

R^ 4 a : nP,g ; Prop, (prf (-iP) ^ prf g -> prf ±) -4 (prf P ^ prf (-ig) -> prf ±) -> prf (-'(P<t^ g)) -5^ prf ± 

Rg : Ha : type. HP : (term a Prop). (Ilf; term a. (prf (P f) —> prf _L)) —> prf (3 a P) —s- prf _L 

Ry ; Ha ; type. HP ; (term a —Prop). Ilf; term a. (prf (P f) prf ±) —prf (V a P) — >■ prf _L 

R-,g : Yla : type. HP : (term a Prop). Ilf ; term a. (prf (-'(P f)) -4 prf ±) —^ prf (-1(3 a P) —>■ prf ± 

R-,V ; Ha : type. HP ; (term a Prop). (Ilf; term a. (prf (-'(P f)) —> prf _L)) prf (-iV a P) —>■ prf ± 

R3type : nP ; (type -4 Prop). (Ha ; type, (prf (P a) -4 prf _L)) -4 prf (3type P) ^ prf -L 

Rvtype : nP ; (type -4 Prop). Ha : type, (prf (P a) ->■ prf _L) prf (Vtype /) -4 prf _L 

R-3type :nP: (type^ Prop). Ho;: type, (prf (-.(P a)) ->■ prf _L) ^ prf (-.(3type P)) -4 prf ± 

R-Vtype '-^P - (type ^ Prop). (Ha;: type, (prf (-.(P a)) ^ prf _L)) ^ prf (-.(Vtype P)) prf-L 
R-Subst ■ Ha : type. HP ; (term a -4 Prop). Ht,u : term a. (prf (f u) —5> prf ±) — 

(prf (P u) -4 prf _L) -4 prf (P t) -4 prf J_ 


Figure 8: LLproof- in /in- 


The special rules Pred and Fun can be easily decomposed into n applications of the Subst rule. For 
instance, for a binary predicate P, from (we omit to repeat the context F) 

Hi Hg 

h /r' Ml F -L t2 /r" ^2 F _L 

- Prpn 

P(T;ti,t2),-.P(T;Mi,M2) F -L 

we obtain 


Hi t2 M2 F J_ P(t;mi,M2) 

-;-;—- -;r7^-^-Subst 

fl i^-,1 Ml F _L P{T-,Ui,t2) „ , 

-i-Ti-;-Subst 


In Fig. |9j we present the translation function for LLproof- sequents and proofs into /in-. Let us 
present a simple example. We want to translate this proof tree: 


n:= 


Up Uq 

r,pvg,PF± r,pvg,gFx 
r,PvgF X 


v(p,e) 















66 


Checking Zenon Modulo Proofs in Dedukti 


Translation Function for Sequents 


l[^l] 

■ • ■, [y’« 

FT| 

— Xlp^ : 

prf |yii|,...,x 

Translation Function for Proofs 






Hi 




n„ 



FT 



,...,//«?ft 



r,Ci, 


FT 



■Ifin 


Rule(Argi,...,Argr) 


RRuie |Argi|...|Arg^| 



: prf 



: prf 

■ inil) 

(dx//„, 

: prf 


• ■ •dx//„, : 

: prf . 

|n„|) 

xc,... 

xc. 






Figure 9: Translation Functions for LLproof- Proofs into /in- 


where Hp and Hg are respectively proofs of sequents r,P h _L and T,Q\- Z, and where we annotate rule 
names with its parameters. Then, by applying the translation procedure of Figs. |4] and |9j we obtain the 
Dedukti term 

Rv |P| IGI [Axp : prf |P| . |np|) [Axq : prf \Q\. iHgl) xp^q 

where the notation |v| means the translation of v into /in=, and xp is a variable declared of type prf |P|. 
We then check that n is a proof of the sequent r,PV2l-_LinaTFFl^ theory by checking that 
|,^|,|r,PV2| h |n| : prf Tin/in^. 

More generally, for any LLproof= proof IT and any sequent F h T, we check that IT is a proof of 
F h T by checking the /in= typing judgment | /iJ'l, |r| h |n| : prf T. 


4.2 Shallow Embedding of LLproof- 

The embedding of LLproof= presented in Fig.[8]can also be lifted to a shallow embedding. In Fig.[T3]of 
AppendixIS we present rewrite rules that prove all constants corresponding to LLproof= inference rules 
into the logic presented in Sec. [3l This has been written in Dedukti syntax and successfully checked 
by Dedukti (see the file modulogic. dk distributed with the source code of Zenon Modulc0). The only 
remaining axiom is the law of excluded middle. This shows the soundness of LLproof= relatively to the 
consistency of the logic of Sec. [3] 


5 Experimental Results 

Zenon Modulo helps to automatically discharge proof obligations in particular in the two projects Fo- 
CaLiZe ifTTl and BWare |[T4l . We present in this section some examples of theories, and simple related 
properties, that are handled successfully by Zenon Modulo, and its translation to Dedukti. 


'https://www.rocq.inria.fr/deducteam/ZenonModulo/ 
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Figure 10: ATFF1“ Theory of Booleans 


5.1 Application to FoCaLiZe 

FoCaLiZe is a framework for specifying, developing and certifying programs. The specification language 
is first-order logic and proofs can be discharged to Zenon or Zenon Modulo. The FoCaLiZe compiler 
produces both a regular program written in OCamI and a certificate written either in Coq or in Dedukti 
(but only the Dedukti output can be used from Zenon Modulo). 

In FoCaLiZe, specifications usually rely a lot on the primitive type bool so it is important that 
Zenon Modulo deals with booleans efficiently. In order to prove all propositional tautologies, it is enough 
to add the following rules for reasoning by case on booleans (together with truth tables of connectives): 


r, -■/’(true) h _L r, -iP(false) h _L 
r,hVf7:bool.P(f7)]h_L 


Ext(bool-case--'V, P) 


r,P(true) h _L r,P(false) h _L 
r, [3b : bool. P{b)]h ± 


Ext(bool-case-3, P) 


However, we get a much smaller proof-search space and smaller proofs by adding common alge¬ 
braic laws as rewrite rules. In Eig. [TOl we define a fheory of booleans in TFF1=. This fheory handles 
idempofency and associafivify of conjuncfion and disjunction buf nol commufafivify because fhe rule 
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Axi : prf(-i(V bool {Ax : term bool. V bool (/ly : term bool, x && y =booi y && ■*))))■ 

^bool-case--iV 

{Ax : term bool. V bool (/iy ; term bool, x && y =booi y && ^)) 

{Ax 2 : prf(-'(V bool {Ay : term bool, y =booi y)))- 
R-,v bool 

{Ay : term bool, y ^booi y) 

{Aa : term bool. 

Ax 3 : prf(fl T^booi a). 
bool a X 3 ) 
xi) 

{Ax 4 : prf(-i(V bool (/ly : term bool, false =booi false))). 

R-,V bool 

(/ly : term bool, false =booi false) 

{Aa : term bool. 

Ax 5 : prf(false T^booi false). 

R^ bool false X 5 ) 

X 4 ) 


Figure 11: Proof Certificate for Commutativity of Conjunction in Dedukti 


a && b’-^b && a would lead to a non terminating rewrite system; therefore, commutativity is a lemma 
with the following proof: 


Cl T^bool Cl\~ A- 


+ 


nVy: bool.y =booi3'^-L 


nV 


-ffx,y : bool, .r && y 


false /bool false h X ^ 
iVy : bool, false =booi false h X 
=booi J && .r h X 


—fj 

Ext(bool-case--'V) 


The translation of this proof in Dedukti is shown in Fig.fTTl 


5.2 Application to Set Theory 

The BWare project is an industrial research project that aims to provide a framework to support the 
automated verification of proof obligations coming from the development of industrial applications using 
the B method lTI|. The B method relies on a particular set theory with types. In the context of the BWare 
project, this typed set theory has been encoded into Why ML, the native language of Why3 |[T6l . To call 
Zenon Modulo, Why3 translates proof obligations and the B theory into TFFl format. If it succeeds in 
proving the proof obligation, Zenon Modulo produces a proof certificate containing both the theory and 
the term, following the model presented in Fig. [I2l 

The BWare project provides a large benchmark made of 12,876 proof obligations coming from in¬ 
dustrial projects. The embedding presented in this paper allowed us to verify with Dedukti all the 10,340 
proof obligations that are proved by Zenon Modulo. 

Let us present a small subset of this set theory, and a simple example of LL proofs proof produced by 
Zenon Modulo. The theory consists of three axioms that have been turned into rewrite rules. We define 
constructors: a type constructor set, the membership predicate €, equality on sets =set! the empty set 0 
and difference of sets —. For readability, we use an infix notation and let type parameters of functions 
and predicates in subscript. We want to prove the property 

Vtypetr . type, fis . setcr. s o. s —seto" 00 - 
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set-: type type 

- G- -: no-: type, (term seta) —(term seta) —> Prop 

- =set- -: Ha: type, (term seta) -5- (term seta) —Prop 

0- : Ha : type, (term seta) 

—- -: Ha : type, (term seta) —(term seta) —s- (term seta) 

s =set£!' t ^ V (a) (Ax : (term a), x Ga x Ga t) 

X Ga 0a -L 

X Ga s —at ^ X Ga s f\X ^a t 

Goal : prf (-■(Vtype (Aa : type. (V (seta) (/Is : (term seta), s —« s =seta 0a)))) ^ prf -L) 

[] Goal ^ Axi : prf (-'(Vtype {Aa : type. (V (seta) (/Is : (term seta), s — a s =seta 0a)))))- 

R-Vtype : type- (V (seta) /fs : (term seta), s -a s =seta 0a)) 

{At : type. 

Ax 2 : prf (-'(V (setr) (/Is : (term setr). s —t s =setT 0r)))- 
R^v (setr) 

(/Is : (term setr). s — t s =setr 0 t) 

{AcI : (term setr). 

/Ix 3 : prf (ci -rCi yf 

setr ®r)- 

R-.V (t) 

{Ax : (term t). {x Gt c \ — tCi) {x Gt 0t)) 

{Ac 2 : (term t). 

AX 4 : prf {^{{C2 Gt Cl -rCi) (C2 Gt 0t)))- 
(c2 GtCi -tCi) 

(C2 Gt 0r) 

(/lX5 : prf (-.(C2 Gt Cl -tCi)). 

AX(, : prf (C2 Gt 0t)- 

R± X6) 

{Axi ; prf (C2 Gt ci -tCi). 

Axg : prf (- 1(02 Gt 0t))- 
Ra (c2 Gt Cl) 

(c2 ^tCi) 

{Ax 9 : prf (C 2 GtCi). 

Ax 9 : prf (C 2 ^tCi). 

R/tx (c2 ^T Cl) 

-^8 

xg) 

Xj) 

X4) 

X3) 

X 2 ) 

Xi) 

Figure 12: Proof Certificate for a B Set Theory Property in Dedukti 
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with the theory: 

set- /I 


- G- - ilia, seta — )• seta — > Prop 

^ —seto- ^ 

-)-Vx : a. X ^ t 

=set- - :FIa. seta — )■ seta Prop 


-^_L 

0- iITa. seta 

X Go- s (Y t 


- —- -: Ha. seta — )• seta — > seta 




The LLproof proof tree generated by Zenon Modulo is (we omit to repeat context F): 


_^ _ C2 &tCuC2 ± 

“'(C2 Gr Cl — tCi),C2 St 0t h _L C2 Gr Cl — tCi,-'(c2 Gt ©r) 1“ -L 


~'((C2 Gr Cl rCl) (C2 Gr Or)) -L 
“■(ci rCl —setr Or) -L 
: setr. S—rS =setT Or) h -L 
“■(Vtypett : typs- V 5 : seta. S—aS =seta 0^) H ± 


-V 

~'^type 


Ax 

A 

“1 


We obtain the proof certificate of Fig. \Y2 \ checkable by Dedukti, using the file modulogic. dk, and 
thaf is successfully checked. 

6 Conclusion 

We have presenfed a shallow embedding of Zenon Modulo proofs info Dedukti. For this encoding, we 
have needed to embed into /tn= an extension to deduction modulo of the underlying logic of the TFFl 
format, denoted by TFFl^. We then defined LLproof^, the extension to TFF1= of the proof system 
LLproof, which is the output format of Zenon Modulo. Finally, we have embedded LLproof= into /in= 
by giving the translation function for proofs. This embedding is shallow in the sense that we have reused 
the features of the target language and have not declared new constants for connectives and inference 
rules. The only axiom that we have added is the law of excluded middle. 

This embedding has helped us to verify a large set of proof obligations coming from two different 
projects. FoCaLiZe can now benefit from deduction modulo to improve program verification when deal¬ 
ing with theories. In BWare, this work allowed us to certify all the proofs generated by Zenon Modulo. 

Our work is closely related to the embedding of iProver Modulo proofs into Dedukti ifTOl . The two 
main differences are the assumption of the excluded middle and the extension of the logic to deal with 
ML-style polymorphism. Because these shallow encodings are close, we could easily share proofs of 
untyped formula with iProver Modulo. 

We do not have to trust the full implementation of Zenon Modulo but only the translation of TFF1= 
problems to /in= discussed in Sec. [3] and, of course, Dedukti. In the case of FoCaLiZe, we go even 
further by using an external translator, Focalide IfTTI . Hence Zenon Modulo requires no confidence 
in that context. As future work, we want export this model. To achieve that, deduction tools must 
be able to read Dedukti in addition to write some. This model improves the confidence on automated 
deduction tools because it is no more possible to introduce inconsistency inside a proof certificate. In 
addition, in case of the verification of several formulse, it should be possible to inject terms coming from 
different tools inside the same Dedukti file. A first experiment with Zenon Modulo and iProver Modulo 
in FoCaLiZe would be an interesting proof of concept. 
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A Appendix: Shallow Embedding of LLproof- System into Dedukti 


Law of Excluded Middle and Lemmas 

ExMid{P : Prop) : YIZ : Prop, (prf P prf Z) —5- (prf (^P) prf Z) —>■ prf Z 

NNPP{P : Prop) : prf C^P) prf P 

:= AHi : prf C^P). ExMid P P {AH2 : prf P. H2) {AH3 : prf (-.P). Hi Hj. P) □ 

Contr{P : Prop, Q : Prop) : (prf {P ^ Q) ^ prf CQ -^P)) 

:=AHi: prf (P^Q). AH2 : prf CQ). AH^ : prf P. H2 (Hi H^) □ 

LLproof Inference Rules 

[] Rx AH : prf ±. /f □ 

[] R^t "-s- 'fPl ■ prf (^T). Hi (AZ : Prop. AH2 ■ prf Z. H2) □ 

[P : Prop] R,4^ P ^ AHi : prf P. AH2 ■ prf CP)- H2 Hi □ 

[q- : type,?: term a] Ry. a AHi : prf (? t)- H\ ( 7 z : (term a Prop). AH2 ■ prf (z ?). H2) □ 

[a : type,?: term a,u : term a] R^^m a t AHi : prf (? =q. u). AH2 '■ prf {u ?). H2 

[Az : (term a —>■ Prop). AH^ '■ prf (z u). Hi (Ax : term a. [z x) => (z ?)) (AH4 : prf (z ?). H4) Hf) □ 

[P : Prop] Rcut P ^ ffHi '■ (prf P prf -L). AH2 : (prf CP) -s- prf ±). H2 Hi □ 

[P : Prop] R-,^ P ^ AHi : (prf P —>■ prf ±). AH2 '■ prf C^P)- ^2 Pfl D 

[P : Prop, Q : Prop] Ra R 2 'fH\ • (prf P ^ prf Q ^ prf-L)- 'fHl ■ prf (P A 2 ). //2 -L ffi □ 

[P : Prop, 2 : Prop] Rv P 2 'fPf\ '■ (prf P ^ prf^)- • (prf 2 prf -L)- ^7^3 • prf (P V 2)- Tfa -L H\ Hi D 
[P: Prop,2 : Prop] R^ P 2 ^ : (prf (^P) ^ prf L). AH2 : (prf 2 ^ prf-L). AH^ ■ prf {P^Q). Hi 

(Contr P Q Hi H2) □ 

[P: Prop,2 : Prop] R^ P 2 ^ : (prf (^P) ^ prf (^2) ^ prf-L). dWa : (prf P-5- prf 2 -s- prf L). 

AHi ■ prf (P 4^ Q). Hi 1. (AH4 : (prf P —> prf Q). AHi '■ (prf Q -4 prf P). (Hi (Contr P Q H4 
(AHi : prf Q. {H2 {H5 H(,)) HO) CC : prf Q. {H2 {H5 O)) Hj)) □ 

[P: Prop,2 : Prop] R-,a PQ^AHi'. (prf (^P) ^ prf _L). di /2 : (prf (^2) ^ prf^)- ^^3 : prf(^(PA2))- 
Hi (AHi : prf P. H2 [AH^ : prf Q. Hi (AZ : Prop. AH4 : (prf P ^ prf 2 ^ prf Z). H4 i/5 HO) □ 

[P : Prop, 2 : Prop] R-,v P 2 ^ ^Hi : (prf (^P)prf (^2) ^ prf O- ^7/2 : prf (^(P V 2))- Hi (Contr P(PVQ) 
(AHi ■ prf P- ■ Prop. AH4 : (prf P —>■ prf Z). /li/5 • (prf P ^ prf Z). H4 Hi) H2) (Contr Q (PV Q) 

(AHi • prf 2- 7 Z : Prop. AHj : (prf P —> prf Z). AH^ : (prf 2 —prf Z). i/g iig) i/2) □ 

[P : Prop, 2 : Prop] R-,=> P Q'^ AHi : (prf P —>■ prf (-' 2 ) prf ^)- '77/2 '■ prf (^(P 2 ))- 7/2 ('7/73 ^ prf P. 

(Hi Hi) (AH4 : prf Q. H2 (AH^ : prf P. H4)) Q) □ 

[P : Prop, 2 : Prop] R^^ P g AHi : (prf (-P) ^ prf (^ 2 ))- '77/2 : (prf P ^ prf (-- 2 ))- 

AHi ■ prf (^(P Q))- ('7/74 : prf (^P)- 7/3 (AZ : Prop. AH^ : (prf (P =4 Q) ^ prf (Q=4 P) ^ prf Z). 

Hi (AHi : prf P. H4 Hi Q) (AHn : prf Q. Hi H4 Hn P)) ) (AH^ : prf P. H2 //« (' 77 /q : prf Q. Hi (AZ : Prop. 
AHiii : (prf (P ^ Q) ^ prf ( 2 ^ 7 ’)^ prf Z). Hu (AHn : prf P. //g) (AHn : prf Q. //g)))) □ 

[or: type,P : term a —> Prop] Rg a P AHi : (t : term a —prf (P ?) —S' prf _L). AH2 '■ prf (3 a P). H2 A- Hi □ 
[cr: type,P : term a —>■ Prop,?: term a] Rv cr P ? '^ AHi : (prf (P t) —^ prf _L). AH2 '■ prf (y a P). Hi (H2 ?) □ 
[q- : type,P : term a -4 Prop,?: term a] R-,g a P t^ AHi : (prf (^(P ?)) —>■ prf _L). AH2 ■ prf (-1(3 a P)). Hi 
(AH4 : prf (P ?). H2 (AZ : Prop. AHi '■ (j?: term a -3 prf (P x) -4 prf Z). Hi t H4)) □ 

[a : type,P : term a -4 Prop] R^y a P ^ AHi : (t: term a —> prf (^(P ?)) -> prf ±). AH2 '■ prf (^(V a P)). 

H2 (At: term a. NNPP (P t) (Hi ?)) □ 

[P : type —)• Prop] Rgj^p^ P /IT/i : (a : type —>■ prf (P a) —s- prf ±). AH2 '■ prf ( 3 type P). H2 E Hi □ 

[P : type Prop,Qr: type] Rv,yp^ Pa^AHi'. (prf (P a) -4 prf ±). AH2 : prf (Vtype P). Hi (H2 a) □ 

[P : type Prop,a : type] R^3t,p« Pa^AHi'. (prf (-.(P a)) -4 prf ±). AH2 : prf (-'( 3 type P)). Hi 
(AH4 : prf (P a). H2 AZ : Prop. AHi • (P • tyP® ^ prf (PP) ^ prf Z). Hi a H4) □ 

[P : type Prop] R^Vtyp, P ^ ' 77 /l : (a ■ type prf (-.(P a)) prf ±). AH2 : prf (-'(Vtype P))- H2 
(Aa : type. NNPP (P a) (Hi a)) □ 

[a : type,P : term a —> Prop,?i : term a, ?2 : term a] Rsubst a P ?i ?2 d/ii : (prf (?i h) prf-L). 

AH2 ■■ (prf (P?2) ^ prf ±). AHi ■ prf (P?i). Hi (AH4 : prf (?i (2)- H2 (H4 P Hi)) □ 


Figure 13: Shallow Embedding of LLproof into Dedukti 
The deep embedding of LLproof = presented in Sec. I4.1l is well-typed with respect to the deep em- 
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bedding of typed deduction modulo presented in Sec. 13.11 Using the shallow embedding presented in 
Sec. 13.21 we can prove all the rules declared in Fig. |8] by rewriting the Rruie symbols using only one 
axiom: the law of excluded middle. These proofs are listed in Fig. [13] where the □ symbol is used to 
delimit proofs. 


